I'm trying to use stunnel to connect to a secure server for syslogging. I have a certificate from the central logging server. How do I load this into stunnel so that I can connect?
Cheers and thanks
Cary
On Fri, Sep 16, 2011 at 2:09 AM, Cary Corse cary.corse@zestia.com wrote:
I'm trying to use stunnel to connect to a secure server for syslogging. I have a certificate from the central logging server. How do I load this into stunnel so that I can connect?
Hi Cary
Assuming the server is already set up, the client config is as follows: 1. Set client = yes inside your stunnel conf 2. Add a section that listens on localhost on some random port e.g. 2514, then uses the cert you were given to connect to the remote server 3. Make sure your local syslog.conf logs to localhost on that port you chose.
Something like this in the stunnel conf: <snip> ; Use it for client mode client = yes ; Service-level configuration [syslog] accept = 127.0.0.1:2514 connect = <remote server>:<remote port> cert = /path/to/cert ; key = /path/to/key (if cert and key in separate files)
Then your syslog.conf will contain something similar to this *.=info;*.=notice;*.=warning;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none @127.0.0.1:2514
There's quite a good article on the subject here: http://freshmeat.net/articles/ssl-encrypting-syslog-with-stunnel
On 09/15/2011 04:09 PM, Cary Corse wrote:
I'm trying to use stunnel to connect to a secure server for syslogging. I have a certificate from the central logging server. How do I load this into stunnel so that I can connect?
Step 1: Learn as much as possible about the central server, the features of its software, and whether switching to another software might be an option. Here's a snippet from the rsyslog.conf manpage that you might find interesting:
MODULES imrelp Input plugin for the RELP protocol. RELP can be used instead of UDP or plain TCP syslog to provide reliable delivery of syslog messages. Please note that plain TCP syslog does NOT provide truly reliable delivery, with it messages may be lost when there is a connection problem or the server shuts down. RELP prevents message loss in those cases. It can be used like this: $ModLoad imrelp $InputRELPServerRun 2514 imgssapi Input plugin for plain TCP and GSS-enable syslog
(Note: I don't have manpages for syslogd, syslog-ng, or any other implementations at my fingertips right now.)
Evaluate your needs in terms of reliability and authentication, and if the chosen solution still needs encryption on top (and is TCP based with persistent connections ...), add stunnel to it.
Kind regards, J. Bern
J. Bern - just curious - is syslogging over stunnel less stable for some reason, or does it exacerbate the reliability problem mentoned in the manpage? Iow, if you're satisfied with your syslog processing today, will layering in stunnel make anything worse?
Neither RELP nor gssapi auth provide encryption for syslog traffic, iirc ... if you're truly worried about snooping on syslog traffic, not sure how they would help. Seems to me they're orthogonal issues. No?
-----Original Message----- From: stunnel-users-bounces@stunnel.org [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Jochen Bern Sent: Friday, September 16, 2011 4:40 AM To: Cary Corse Cc: stunnel-users@stunnel.org Subject: EXTERNAL: Re: [stunnel-users] Certificates
On 09/15/2011 04:09 PM, Cary Corse wrote:
I'm trying to use stunnel to connect to a secure server for syslogging. I have a certificate from the central logging server. How do I load this into stunnel so that I can connect?
Step 1: Learn as much as possible about the central server, the features of its software, and whether switching to another software might be an option. Here's a snippet from the rsyslog.conf manpage that you might find interesting:
MODULES imrelp Input plugin for the RELP protocol. RELP can be used instead of UDP or plain TCP syslog to provide reliable delivery of syslog messages. Please note that plain TCP syslog does NOT provide truly reliable delivery, with it messages may be lost when there is a connection problem or the server shuts down. RELP prevents message loss in those cases. It can be used like this: $ModLoad imrelp $InputRELPServerRun 2514 imgssapi Input plugin for plain TCP and GSS-enable syslog
(Note: I don't have manpages for syslogd, syslog-ng, or any other implementations at my fingertips right now.)
Evaluate your needs in terms of reliability and authentication, and if the chosen solution still needs encryption on top (and is TCP based with persistent connections ...), add stunnel to it.
Kind regards, J. Bern
On 09/16/2011 04:46 PM, Bucci, David G wrote:
J. Bern - just curious - is syslogging over stunnel less stable for some reason, or does it exacerbate the reliability problem mentoned in the manpage? Iow, if you're satisfied with your syslog processing today, will layering in stunnel make anything worse?
Neither RELP nor gssapi auth provide encryption for syslog traffic, iirc ... if you're truly worried about snooping on syslog traffic, not sure how they would help. Seems to me they're orthogonal issues. No?
Reliability, authentication, secrecy, nonrepudiation, etc. certainly are "orthogonal" in that one doesn't replace the other. Nonetheless, they all are part of IT security and whenever someone says the magic words "we need to secure that", I fully expect *all* these parts to surface in the ensuing project. :-}
Case in point: If your logging warrants encryption to prevent an intruder from reading any messages flying by at random (as opposed to just having a policy that says "all traffic, even if only internal, needs to be encrypted"), it's very likely that the same intruder keeping some of these messages from getting to you (attack on reliability) would be just as bad.
Having that said: I've never run syslog over stunnel and don't know of any issues in doing so beyond the obvious ones (increased connection setup time, possibility of unnoticed cert expiry, etc.). I'm merely following the principle that if you can get a subsystem with the desired functionality already built in, it's likely to have less problems (technical as well as design) than trying to cobble things together yourself - and the arena of remote logging protocols has seen *a lot* of evolution to take your pick from.
(That is, at least as far as multipurpose computers are concerned. Office grade switches and routers *still* tend to max out at the stone age UDP-based non-sequence-numbered syslog protocol, for crying out loud. >:-C )
Kind regards, J. Bern
-
Bucci, David G -
Cary Corse -
David van Zijl -
Jochen Bern